Foreign companies often ask the wrong opening question about Italy and the GDPR. They ask whether the Regulation applies only once they have incorporated an Italian company, opened a branch, or hired local staff. In practice, the legal analysis is broader and more operational. The decisive question is whether a given processing activity falls within the territorial scope of the GDPR because it is carried out in the context of an establishment in the European Union, or because a non-EU controller or processor targets individuals in the Union by offering goods or services or by monitoring their behaviour.

That distinction matters because many international groups underestimate how quickly routine commercial expansion can create GDPR exposure. A sales office, a local business development function, a distributor structure closely integrated with the group, an Italian-facing website, the systematic collection of leads from Italy, customer support for Italian users, the centralisation of HR data for local staff, or the use of analytics to track behaviour in the Union can all become part of the territorial analysis. In other words, the GDPR is not triggered only by formal corporate architecture. It is triggered by the factual relationship between business operations, personal data processing, and the Union.

For foreign companies with interests in Italy, this has a practical consequence. 'Doing business in Italy' does not produce a simple yes-or-no answer. The correct legal approach is to map the relevant processing activities and test them against the GDPR's jurisdictional hooks. Some operations will fall squarely within Article 3(1). Others may be caught by Article 3(2). Some may sit outside the Regulation altogether. The result is often mixed, and that is precisely why a generic group privacy framework is frequently inadequate.

Article 3(1): establishment is a functional concept, not a formal one

The first jurisdictional gateway is establishment. Under Article 3(1), the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing itself takes place in the Union. This is a functional concept, not a purely corporate one. The Court of Justice of the European Union and the European Data Protection Board have consistently treated 'establishment' in a broad and pragmatic way — a position firmly anchored in the landmark Google Spain ruling (C-131/12) and elaborated in the EDPB Guidelines 3/2018 on Territorial Scope. The test is not limited to the existence of a subsidiary with extensive local infrastructure. The inquiry looks at the effective and real exercise of activities through stable arrangements in the Union.

That is why foreign groups sometimes misread their own risk. They may think that because data is hosted outside Europe, group decisions are taken at headquarters, or contracts are signed by a non-EU parent company, the GDPR cannot fully apply. That is not how Article 3 works. If the relevant processing is carried out in the context of the activities of an EU establishment, the place where servers sit or where management formally resides does not, by itself, take the processing outside the GDPR.

For businesses focused on Italy, the difficult issue is often the expression 'in the context of the activities.' The phrase is wider than many assume. A local establishment does not need to carry out the processing itself in a narrow technical sense. What matters is whether there is an inextricable link between the processing and the activities of the establishment. If an Italian or other EU establishment promotes, supports, monetises, coordinates, or otherwise forms part of the commercial operation to which the processing relates, Article 3(1) may be engaged even where the data is processed centrally outside Italy.

This is one reason why sales-driven structures deserve careful attention. A foreign company may have no Italian incorporated subsidiary, yet still maintain a stable commercial presence directed at the Italian market through personnel, representatives, or an operational office elsewhere in the Union that supports Italian business. If that presence is not merely incidental, and the relevant processing is bound up with those activities, a full GDPR analysis becomes necessary. The same is true where a group has staff or contractors in Italy handling leads, relationship management, after-sales support, recruitment, compliance coordination, or customer success functions.

What does not automatically trigger full application

At the same time, not every commercial touchpoint creates an establishment. A website that can be passively accessed from Italy is not enough. Mere accessibility in the Union does not, on its own, mean that a foreign company is established here or that it is offering goods or services to individuals in the Union. The analysis must remain evidence-based. Stable arrangements, economic reality, role in the relevant business model, and connection to the processing all matter. The GDPR does not punish geographical distance; it attaches legal consequences to factual integration with the EU market.

Article 3(2): targeting and monitoring can bring non-EU businesses into scope

The second gateway is Article 3(2), which applies even in the absence of an establishment in the Union. A non-EU controller or processor may still be subject to the GDPR if it processes personal data of individuals who are in the Union in connection with the offering of goods or services to them, or with the monitoring of their behaviour as far as that behaviour takes place within the Union. This is especially relevant for foreign companies that approach Italy digitally before they build any local corporate footprint.

In practice, the 'offering of goods or services' limb is often misunderstood. The fact that a website is technically reachable from Italy is not sufficient. The question is whether the business is actually envisaging commercial engagement with individuals in the Union. Indicators can include the use of EU languages or currencies in a way directed at the market, references to customers or users in Member States, shipping or service availability in the Union, localised marketing, or the explicit pursuit of customers in countries such as Italy. The analysis is contextual. No single factor is always decisive, but the overall pattern of targeting is.

The 'monitoring' limb is equally important and increasingly relevant. Behavioural advertising, tracking technologies, profiling, analytics tools, and other methods used to observe how individuals in the Union behave online may bring a foreign company within the GDPR even before it has a traditional local business structure. This matters for international groups launching digital products, apps, e-commerce operations, SaaS platforms, or data-driven marketing campaigns that touch Italian users. If people in Italy are being tracked, profiled, segmented, or behaviourally analysed, the territorial question cannot be treated as an afterthought. The Court of Justice's Fashion ID ruling (C-40/17) further clarifies that joint controllership can arise even where a party's direct involvement in processing is limited — a consideration that applies with particular force in digital marketing and analytics contexts.

Why the analysis must be done processing by processing

For many foreign groups, the true answer is that the GDPR may fully apply to some processing activities long before the company feels 'European' in any organisational sense. A group can be outside the Union, without an Italian legal entity, and still be inside the GDPR for lead generation, customer acquisition, platform analytics, account management, or other processing linked either to Article 3(2) targeting or to the activities of an EU establishment elsewhere in the group structure.

This is why the right unit of analysis is the processing operation, not the group in the abstract. A multinational may run some activities entirely outside the GDPR, while other activities fall directly within it. Legal teams that ask only whether 'the company' is subject to the GDPR often frame the problem too broadly and therefore solve it badly. The more disciplined question is: which processing activities, involving which data subjects, in connection with which operations, are caught by which territorial trigger?

Why Italy adds a second layer of complexity

That operational view also helps explain why Italy creates a specific layer of complexity. Once a foreign group becomes subject to the GDPR for activities connected with Italy, the analysis usually cannot stop at the Regulation's text alone. The Italian data protection framework — the Codice Privacy (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018) — introduces additional rules and sector-specific obligations that interact with the GDPR across employment, internal monitoring, marketing, cookie governance, and whistleblowing channels. The Garante per la Protezione dei Dati Personali, Italy's national supervisory authority, has developed a body of guidance and enforcement practice in these areas that goes beyond what can be inferred from the Regulation alone. The territorial hook is only the beginning; local operationalisation is where the real legal work often starts.

Another common mistake is to assume that using an Italian distributor automatically pushes all upstream processing outside the foreign company's GDPR exposure. Distribution models require careful factual analysis. Sometimes the distributor acts independently for its own customer base and purposes. Sometimes, however, the foreign group remains heavily involved in lead qualification, CRM visibility, customer analytics, warranty management, post-sale support, or centralised marketing. In those cases, the foreign company may still be processing personal data in ways that trigger the GDPR. The existence of a distributor does not by itself solve the territorial issue.

Similarly, foreign businesses often underestimate internal data flows. Recruitment relating to Italian candidates, centralised HR administration for local employees, due diligence in relation to an Italian target or branch, access rights to shared systems, global compliance investigations touching personnel in Italy, or the use of group-wide monitoring tools can all create GDPR relevance. The territorial analysis is not confined to front-end customer data. It extends to workforce, governance, and operational data ecosystems.

The Article 27 issue often appears earlier than expected

Where a foreign company is caught by Article 3(2) and has no establishment in the Union, Article 27 must also be considered. In many cases, the controller or processor will need to designate a representative in the Union, unless a narrow exception applies. This point is often neglected in early market-entry stages because businesses focus on commercial rollout and contract execution, not on the representative model, records, notices, governance documents, and supervisory authority interface that may become necessary. Yet failing to design this architecture early can create friction exactly when a business is trying to scale.

Once territorial scope is established, a further question immediately arises: how are personal data flows back to the group's headquarters or to third-country processors governed? The selection of appropriate transfer mechanisms — standard contractual clauses, binding corporate rules, or adequacy decisions — is a direct downstream consequence of the territorial analysis. It is one reason why addressing scope early is not merely a compliance formality but a precondition for building a data governance structure that can sustain international operations.

A more useful legal approach for foreign companies entering Italy

The practical lesson is that territorial scope should be analysed before, not after, operational launch. For a foreign company entering or expanding in Italy, the right sequence is not to roll out commercial activity first and ask privacy questions later. It is to identify the business model, map the processing operations, examine whether there is an EU establishment or targeted offering or monitoring, determine the roles of the relevant entities, and then build the compliance architecture around that reality. When businesses invert this sequence, they usually end up patching gaps under time pressure.

A disciplined pre-launch or early-stage assessment should normally cover at least five points:

1.     What data is being collected, from whom, and for which business purposes?

2.    Which group entity or entities actually determine purposes and means for each processing stream?

3.    What is the nature of the company's factual presence in Italy or elsewhere in the Union?

4.    Are individuals in the Union being targeted or monitored?

5.    What further obligations follow once the territorial hook is established, including notices, lawful bases, contracts, transfer mechanisms, representative requirements, and local Italian overlays?

Conclusion

Seen in this way, the territorial scope of the GDPR is not an abstract jurisdictional debate. It is an entry-point issue in legal design for foreign companies operating in or toward Italy. It determines whether the organisation is merely watching the Italian market from outside, or has already stepped into a regulated data environment with real accountability duties.

The companies that manage this well are not necessarily the ones with the largest compliance budgets. They are the ones that recognise early that GDPR scope is a business architecture question. They do not reduce the analysis to incorporation formalities or server location. They look at how their commercial presence, digital targeting, group structure, and data operations fit together. That is the level at which the real answer emerges.

For foreign companies doing business in Italy, the question is not simply whether the GDPR fully applies. The better question is when, through which activities, and with which consequences it applies. For foreign companies, the real issue is rarely whether GDPR applies in theory, but how territorial scope analysis is translated into governance choices, operational responsibilities, and data-flow design in practice. Once that question is asked properly, the legal roadmap becomes much clearer — and usually much more actionable.

If your company is expanding into Italy, operating through a branch, local unit, sales structure or distributor network, data protection should be assessed before compliance gaps become operational or regulatory risks.

P&S Legal works with foreign companies and international groups to map their actual GDPR exposure in Italy and design the governance architecture needed to address it.

Where appropriate, we help clients identify exposure areas, build compliant governance frameworks and address the privacy implications of workforce, commercial and cross-border data flows.